APAC Insurance CRO survey Empowering for transformation

Transcription

1 APAC Insurance CRO survey Empowering for transformation

2 Contents > 03 Introduction 05 Profile of the respondents 08 Operationalizing the three lines of defense model 10 Enhancing the risk appetite framework 13 Developing and implementing the risk culture and conduct frameworks 16 Strengthening the management of cyber risk across the organization 18 Preparing for and addressing key regulatory challenges 21 Positioning adequately for emerging trends 23 Engaging in the digital transformation of the risk management function 27 Key contacts

3 Introduction About the survey This Asia-Pacific (APAC) Insurance Chief Risk Officer (CRO) survey has been undertaken with the aim of gaining insights into the role that CROs and risk functions play among insurers, and the key priorities of CROs in the short and medium term. This survey has been designed to qualitatively understand the changing dynamics in the outlook of the risk function and the manner in which the CRO role is evolving. To that extent, we assessed CROs ability to contribute indirectly to value creation, identified the key challenges they face and their priorities as a result of changing regulatory requirements and unstable economic environment, and collected their views on the evolving role of technology in the industry and how they manage the risks associated with it. Our findings this year call for the continued empowerment of individual accountabilities in particular across the three lines of defense to manage risk. This includes enhancing the risk appetite framework and developing and implementing risk culture and conduct frameworks. The need for this is critical for insurers to be successful in transforming their business in response to numerous internal and external pressures. Our results explore this further in the areas of emerging risks including cyber, the overabundance of regulatory change and the digital agenda already on our door step. Our respondents We spoke to a spectrum of leading life and non-life insurance companies, reinsurers, and prominent insurance groups headquartered in APAC, which specialize in multiline insurance business generating sizeable premiums and with an extensive global reach. Each of these firms have their own unique proposition to offer and are market leaders or trendsetters in their respective area of specialty. EY sincerely thanks the CROs and companies that shared their insights with us out of their busy schedules to enrich the content of this year s survey. APAC Insurance CRO survey Ι Empowering for transformation 3

4 4 APAC Insurance CRO survey Ι Empowering for transformation

5 Profile of the respondents We interviewed 22 group or regional CROs with the following profile: 41% Respondents profile by region 27% 32% 27% Respondents profile by insurance 73% 59% 32% Respondents profile by business 9% Australia ASEAN Greater China Insurer Reinsurer Life Composite General The vast majority of respondents surveyed have had a risk team for more than five years and about two-thirds have had the CRO as part of the executive team for more than five years. Fig. 1: How long ago was the risk team created? Greater than 5 years ago 86% 3-5 years 5% 1-2 years 9% Fig. 2: How long has the CRO been a part of the executive team? Greater than 5 years ago 64% 3-5 years 1-2 years 18% 18% Less than 1 year 0% APAC Insurance CRO survey Ι Empowering for transformation 5

6 Regulatory requirements and mandate from the board and management were the main motivations behind the building of a risk management capability. What have been the motivations behind the building of a risk management capability: 1. Regulatory and compliance drivers 2. Board mandated 3. Management driven 4. Need for specialist capability 5. Public perception 6. Shareholder and activist demand Even though the risk function of most respondents were established a long time ago, the scope of their responsibilities continue to evolve over time. Thirty-six percent of the surveyed CROs have been given new responsibilities over the past year, such as: Reviewing potential data breaches Measuring and driving risk culture Providing input into asset liability management (ALM) and investment risk oversight Establishing a quality assurance line 2.5 between the second and third lines of defense Expanding into other area of the business Fig. 3: Have you been given new responsibilities or authority over the past year? 36% 64% Yes No More than three-quarters of the respondents think that the CRO has a responsibility to ensure that the company grows: While growth is not the primary focus of the CRO as a member of the executive team, the CRO has a responsibility to support shareholder returns and this includes sustainable growth in the investment, and input into risk-adjusted returns is a key component of this as is the need to ensure a robust system of controls is in place to support business growth and ensure appropriate conduct. Fig. 4: Does the CRO have a responsibility to ensure that the company grows? 77% 23% Yes No 6 APAC Insurance CRO survey Ι Empowering for transformation

7 Consistent with last year s survey results, CROs find it difficult to evidence that the risk function is adding value in the eyes of the internal stakeholders. They get mostly informal feedback from management and sometimes from the first line. As a good practice, some respondents have implemented risk culture and voice of the customer surveys to take the pulse of their stakeholders across the organization. When asked about the Risk team s biggest accomplishments over the past months and which areas they expect to devote significantly more attention to in the next 12 months, the responses varied between Asia-Pacific respondents. It reflected notably the diversity of Asian respondents and the relative maturity of Australian CROs. Yet, risk culture is on top of the CROs agenda across the Asia-Pacific region. [I receive] unsolicited invitations to project meetings, leadership meetings, strategy meetings, working groups, product meetings, client visits, etc. suggesting that, beyond a standard risk governance framework, risk s advice is being sought. Biggest accomplishments over the past months Areas getting significantly more attention in the next 12 months Asian respondents Own Risk and Solvency Assessment (ORSA) improvement Operational risk management Development of an integrated risk management system together with a proper risk appetite framework Capital management initiatives Risk culture Cyber risk and information security Enterprise risk management (ERM) framework Investment risk Australian respondents Risk reporting and dashboards Incident management Risk culture ERM framework Embedment and up-skilling of first line and greater risk accountability Conduct and culture Governance, Risk and Compliance (GRC) tools APAC Insurance CRO survey Ι Empowering for transformation 7

8 Operationalizing the three lines of defense model Commentary Ninety-five percent of respondents, surveyed across Asia-Pacific, have adopted a formal three lines of defense (LoD) model, with the remaining insurer indicating that they are working toward implementing this model. Fig. 5: Does your company adopt a formal three-lod model? 95% 5% Yes No Key findings CROs acknowledged the three-lod model to work well in design, but the model presented difficulties during its implementation in practice. A majority of CROs identified that the greatest challenge with the three-lod model is delineating the roles between the first and second line. In particular, CROs recognize the need to strengthen their first line and ensure their risk ownership and accountability. Despite these challenges, CROs are already actively thinking about or starting to implement ways to enhance the operating effectiveness of the three- LoD model. These include the following: A line 1.5 function is created where the second line is actively working to develop first line s capability to own their risks. CROs see that the line 1.5 function would eventually be phased out, allowing the first line to operate independently, and the second line to be a challenge and review function over risks. Performance assessment is linked to the responsibilities of day-to-day activities in risk management. Some insurers indicated that they are introducing risk management indicators in the first line as part of their performance appraisal system. Training is provided through workshops to enhance risk understanding and awareness with a desire to promote a risk management culture across the insurer. 8 APAC Insurance CRO survey Ι Empowering for transformation

9 The three-lod model is giving a false sense of security to the board if there is a failure in the first line, there is a failure in the second line. Then it means there is a failure in all the three lines. In that sense, strengthening the first line is the main challenge. The three-lod model works well, but the only problem that can arise is in scenarios where the first line does not want to own up to the risk, and don t believe their job involves managing the risk. What can we learn from the banking sector? Key findings from the Eighth annual global EY/IIF bank risk management survey: Banks recognize that operationalizing the model, and making it effective and efficient is, if not anything, more challenging than designing the broad-brush framework. Four elements stand out: Make risk management smarter, faster and more costeffective: Reducing costs cannot undermine the need for strong risk management and controls. Wean off people-dependent risk management: Traditionally, financial institutions have depended heavily on adding head count in risk and compliance because of tight regulatory and remediation deadlines. There are now signs that people-dependent risk models are not sustainable. Develop a new talent strategy: Financial institutions will have to compete much harder to recruit, retain and motivate talent that can operate in contexts of not only risk, but also in technology. Drive standardization: Standardizing, automating and centralizing testing capabilities are an important vehicle for weaning off a people-dependent model. APAC Insurance CRO survey Ι Empowering for transformation 9

10 Enhancing the risk appetite framework Commentary Risk appetite framework Ninety-five percent of respondents have a formal risk appetite statement (RAS) in place. A significant proportion of RASs (41%) are qualitative with little quantification of statements. Respondents seem to converge on the hierarchy of appetite, tolerances and limits. All use a top-down, or a combination of top-down and bottom-up approach in developing the framework to ensure alignment. Majority of respondents (73%) express the RAS broadly and use tolerances and limits to control the level of acceptable risks. We have observed increased adoption rates of operational risk (86% already in place and in development) and franchise value (50% already in place and in development) in corporate risk appetite as compared with the survey results last year (operational risk 40% already in place; franchise value 0% in place and in development). Quantitative limits for operational, interest rate and equity risks continue to develop across respondents with further efforts required for full adoption of quantitative limits. Majority of respondents (73%) take RAS into consideration when writing business. Capital and stress tests Most respondents indicate the importance of regulatory capital due to the lack of internal models. A few respondents in Australia indicate capital benefits with internal model use. One respondent, for example, faces higher restrictions on regulatory capital in meeting local requirements. While regulatory capital helps to understand drivers and impact, it may not measure all risks well (e.g., operational risk). Stress tests based on regulatory capital framework have been widely adopted to fulfill local reporting requirements. Most of the respondents (64%) applied individual shocks to each risk type. Shocks are then combined via correlation tables. Frequency of stress-testing exercise is usually annual, although more frequent reporting is observed (e.g., monthly) in some insurers. Better practices: Involving management early in the design of stress scenarios Considering stress-test scenarios from head office for consistency Stochastic models, simulations of balance sheet and profit and loss (P&L), and copulas Developing a distribution curve for each operational risk identified Forty-two percent of respondents have an Internal Capital Adequacy Assessment Process (ICAAP) that have not reached stability. Areas to improve on include: Reviewing number of stress tests and increasing level of scenario testing Wider coverage of risks (e.g., liquidity risks) Enhancing Key Risk Indicators (KRI) Evolving with business (demonstrating a stronger link with business) 10 APAC Insurance CRO survey Ι Empowering for transformation

11 Fig. 6: Which of the following metrics do you use in your corporate risk appetite? Regulatory capital 83% 17% 91% 9% Liquidity 83% 17% 86% 14% Credit rating 67% 33% 68% 5% 27% Operational risk 42% 58% 68% 18% 14% Total profit 42% 58% 50% 50% Operating profit 50% 50% 45% 9% 45% Economic capital 58% 8% 33% 36% 9% 55% Franchise value 100% 36% 14% 50% Economic profit 33% 67% 27% 5% 68% In place In development No metric Already in place Not in use Fig. 7: For which of the following risks have you set quantitative limits? Insurance and underwriting % 8% 82% 18% Credit 92% 8% 82% 18% Liquidity 75% 25% 77% 23% Equity 100% 68% 32% Interest rate 91% 9% 55% 45% Operational 67% 33% 50% 50% Quantitative limits in place No quantitative limits in place APAC Insurance CRO survey Ι Empowering for transformation 11

12 Key findings Emerging practices Insurers continue to enhance their risk appetite to better inform decision-making, including risk oversight. There are examples where risk appetite have been used to inform reinsurance purchase, business acquisition and underwriting. This reflects greater alignment of the risk management infrastructure and the business drivers. Key trends observed Better linkage between business plan, risk appetite framework and capital Moving toward economic capital in the long run Revision of stress tests to have wider coverage of key risks events Mature organizations recognize the need to align behaviors and culture with risk appetite this remains work in progress. Insurers continue to improve the links among business, capital and risk. Setting quantitative limits to all risks continues to be the challenge. 12 APAC Insurance CRO survey Ι Empowering for transformation

13 Developing and implementing the risk culture and conduct frameworks Commentary There is ongoing work in developing and implementing frameworks for the management of risk culture and conduct risk. While significant progress has been made over the last two years in thinking about approaches to risk culture, progress has still remained slow. Less than one in two (45%) insurers across the APAC region have developed a risk culture or risk conduct framework. The maturity of risk culture elements is largely in development. The elements of goal setting, remuneration and defining a target state are proving to be the leading place to start the development of risk culture frameworks. Measurement and quantification of risk culture and conduct risk continues to be a challenge. Fig 8. The three lens approach The three lens approach combines perceptions, mechanisms and outcome data to gain an objective view of a firm s culture The EY assessment approach Hypothesis based on industry and client experience are tested The assessment answers the what and why question and outlines root causes of behaviours and outcomes The outcome of our assessment is intervention-based and outlines high-impact initiatives that will build on curent strengths and address current weaknesses Apply 80/20 approach to survey design and data collection: standard questions and data requests supplemented by tailored questions for the specific drivers of the assessment (i.e., focus on conduct) Build a risk culture dashboard to provide the executive committee or non-executive directors committee with a frequent pulse check Mechanisms Policies Processes Governance Management information Talent management Motivation Responsiveness Organization capability Relationships Capabilities Risk management framework Risk transparency Tone at top Strategy Risk appetite Behaviors Outcomes Leadership Organisational structure Outcomes Breaches and near misses Consequence management Customer complaints analysis and trends Behaviors Roles and responsibilities Governance Perceptions Interviews Focus groups Identify root cause APAC Insurance CRO survey Ι Empowering for transformation 13

14 Fig 9. Have you developed a risk culture framework? 45% 55% Yes No Fig 10. Rate your organization s maturity against the following risk culture framework elements Defining a target state of risk culture Risk culture in goal setting Risk culture in remuneration Reporting measurements to management committee Risk culture in product development Developing tolerances for key culture metrics Developing action plans for risk culture 18% 50% 32% 18% 50% 32% 14% 59% 27% 14% 50% 36% 9% 59% 32% 9% 36% 55% 5% 64% 31% Mature Progressing in maturity No action taken Yes, [we have implemented the risk culture framework] three years ago. We have defined our risk culture through the espoused values with links to the remuneration framework, annual engagement survey, and the reward and recognition program. 14 APAC Insurance CRO survey Ι Empowering for transformation

15 Key findings The focus on conduct risk is clearly uneven across APAC with wide variations between markets, where regulators explicitly discuss conduct risk. There are jurisdictions where elements of conduct risk are embedded in other regulations, and jurisdictions where conduct risk has yet to emerge as a regulatory focus. However, a growing number of regulators in the region are seeking to understand the steps firms are taking to manage conduct risk. Many firms are also beginning to better define conduct risk and incorporate its considerations right across the employee life cycle: recruitment, performance assessment, training, incentives and remuneration. In many jurisdictions, there has been an emergence of formal conduct risk frameworks, with dedicated teams supporting a conduct risk program. We believe widely divergent conduct risk practices within the region will continue largely correlated to the level of regulatory focus in home markets. Differences at the country level are largely due to different regulatory expectations and approaches to conduct risk. Larger firms and those headquartered in the US or Europe, where regulators have set high conduct risk management benchmarks, tend to have more advanced practices. Nonetheless, in 2018, we will continue to see an increased focus on conduct risk governance and measurement, frameworks, conflicts of interest, and people practices. Fig 11. Have you developed a risk conduct framework? 45% 55% Yes No Fig 12. Rate your organization s maturity against the following risk conduct framework elements Roles and responsibilities of the board and senior management-related committees designated to conduct risk Metrics in risk appetite statement for conduct risk and reporting 8% 67% 25% 8% 67% 25% Target framework for conduct risk 67% 33% Mature Progressing in maturity No action taken APAC Insurance CRO survey Ι Empowering for transformation 15

16 Strengthening the management of cyber risk across the organization Commentary The maturity of understanding, measuring and governing cyber risks has come a long way over the last 12 months. Organizations now clearly understand that cyberattackers do not just target money or credit card details, but also valuable data, including customer data. The damage caused by a major data breach will not only be financial, but will also have a significant reputational impact to the organization. Despite the material improvement in understanding cyber risks and potential impacts, risk teams are struggling to bring cyber expertise into the second line this is mainly a function of skills shortage. 16 APAC Insurance CRO survey Ι Empowering for transformation

17 Fig. 13: Has cyber risk been incorporated into strategic planning? 59% 41% Yes No Fig. 14: How much of your team (time and headcount) is devoted to cyber security? Please specify the number of full time equivalent (FTE) 0 45% % 5+ 5% Key findings Relationships between the CRO and the chief information and security officers appear to be in development and are improving through increased engagement. Measurement of cyber risks, including tolerances related to risk appetites, seems more detective and reactive in nature. That is, there is reporting of post-event incidents and intrusions, rather than more proactive metrics that show the cyber risk management capability of an organization (things like training and awareness programs, patching programs and frequency, and vulnerability management). Cyber risk scenarios do not appear to be consistently embedded in organizations crisis management response frameworks (relying on more traditional building outage or pandemic preparations) or scenarios (preferring more financial risk event scenarios). APAC Insurance CRO survey Ι Empowering for transformation 17

18 Preparing for and addressing key regulatory challenges Commentary Current and anticipated future challenges: The CRO s role continues to evolve away from the traditional risk and regulatory compliance role into becoming a partner with the business with greater influence of the strategic direction of the firm. Fig. 15: 2017 Can you describe the role of the risk management function in the following key processes? ERM installation and maintenance of risk framework Risk appetite setting 95% 5% 91% 9% Risk measurement and reporting Risk tolerance and limit setting 73% 82% 18% 18% 9% Stress testing design Stress testing performance and reporting Model risk management 32% 32% 45% 55% 59% 9% 41% 27% Model validation Model governance Risk mitigation Capital management 23% 18% 14% 14% 36% 41% 55% 27% 86% 77% 9% Reinsurance program design Reinsurance program execution 5% 5% 45% 73% 50% 23% Oversight or reserving and valuation 5% 45% 50% Technical provision 5% 32% 64% Strategic decisions (M&A) Investments Setting of asset strategy Product design and pricing 91% 86% 77% 73% 9% 14% 23% 27% Underwriting 41% 59% Process owned by Risk and CRO Influence and approve Risk has limited influence 18 APAC Insurance CRO survey Ι Empowering for transformation

19 Fig. 16: 2016 Can you describe the role of the risk management function in the following key processes? Risk appetite setting Risk tolerance and limit setting Stress and scenario testing 100% 92% 8% 83% 17% Capital management Risk mitigation 67% 75% 25% 25% 8% Model governance 50% 25% 17% Model validation 42% 33% 17% Investments 17% 67% 17% Reinsurance Product approval Business strategy 8% 8% 67% 25% 67% 25% 75% 25% Strategic decisions (e.g., M&A) 67% 33% Reserving 25% 67% Technical provision 50% Process owned by Risk and CRO Influence and approve Risk has limited influence Fig. 17: What impact does the current regulatory environment have on business strategy? 23% 13.5% 32% Significant positive impact Insignificant negative impact 13.5% 18% Insignificant positive impact Significant negative impact No impact APAC Insurance CRO survey Ι Empowering for transformation 19

20 Fig. 18: Time allocation of risk function to regulatory vs. business matters 70% regulatory and 30% business 50% regulatory and 50% business 14% 14% 27% 27% 30% regulatory and 70% business 45% 71% Key findings The role of the CROs continue to evolve from traditional organizational compliance with the risk management frameworks and regulatory agenda to spending more time on strategic drivers and business matters within the firm. This is reflected in the shift from the previous year with CROs spending more time devoted to business matters than regulatory matters. When asked how much CROs owned, influenced or had limited influence over business processes, most indicated that they had an increased influence or approval over key processes, showcasing the remit of the CRO office continuing to expand and evolve over time. Three to five years from now, possibly, the CROs role is to be a key go-to person for the CEO and heads of businesses to engage in relation to business strategies. The industry is under increased regulatory and government scrutiny, so the role of CRO now has a heightened sensitivity and importance at the executive table than ever before. Implementation of new regulatory and supervisory requirements remains a key industry focus, with specific regulations on top of the agendas in Asia, including Risk-Based Capital 2, IFRS 17 Insurance Contracts and China Risk Orientated Solvency System. CROs in Australia are more concerned by the local requirements: Life Insurance Framework, Emergency Service Levy, Banking Executive Accountability Regime, Australian Securities Investment Corporation regulatory work and Parliamentary Joint Committee inquiries. The respondents have very mixed views on the impact of the current regulatory environment on the business strategy, yet 50% still think there is a positive impact. One of our biggest challenges is the heterogeneity of local regulatory requirements. As insurers eye the path forward, they must consider existing and future laws and regulations regarding data protection, consumer privacy and cybersecurity. Critical thinking and complex problem-solving skills will be key as new areas (e.g., AI, insurtech) come to the fore. 20 APAC Insurance CRO survey Ι Empowering for transformation

21 Positioning adequately for emerging trends Commentary Emerging risk management continues to play a critical role to insurers in how they are managing risks. Fig. 19: A typical emerging-risks radar for CROs Political Economic Risk areas that CROs are unaware of Political intervention Expense risk and medical inflation Declining margins from legacy products Risk models being overly complicated Sustainability and affordability of existing products Legal Social Regulatory compliance risk CRO Changing consumer expectation Consumer regulation Climate change Catastrophe risk Technological advancements (continuing threat) Legacy infrastructure and systems, which prevent being up-to-date with competitors New competitors and new ways of doing business Autonomous vehicles Internet of things Risks with artificial intelligence (AI) Environmental Overpopulation issues Fintechs Cybersecurity Technological APAC Insurance CRO survey Ι Empowering for transformation 21

22 Key findings For all the variation across individual companies, there is consensus that the universe of emerging risks is expanding, with CROs facing broader range of more-severe risks in 2017 and in the years to come (refer to Fig. 19) CRO s role in emerging risk processes include: Facilitating process with the business Reporting to the risk committee or board Providing feedback to the business units Serving as a link to business and strategic planning, to ensure these processes are responsive to emerging risks An insurer s understanding of cyber risks, 5 10 years ago, was mostly nonexistent. Now, it is on the agenda of every board. There are dedicated responses to managing cyber as well as capitalizing the opportunity it brings through the development of cyber insurance. Risk functions are clearly investing in this capability. With the onset of new business models, such as the digital agenda, robotics, telematics, internet of things and insurtech, it is clear that many insurers need to understand what the next emerging risk is. How do risk functions need to evolve with the emerging landscape? Increase role in business and strategic planning Continue to challenge role of management Create heightened sensitivity and importance at the executive table Increase level of monitoring, challenge and reporting Greater involvement throughout strategy setting beyond rubber stamping Responding to an increasing pace of change Half of the respondents have only used written communications to communicate internally on the potential exposure to geopolitical events. Some good practices involved the use of these events within stress testing and scenario analysis. Fig. 20: How does risk management evaluate and communicate potential exposure to the geopolitical events that have occured or could occur (e.g., Brexit, French presidential election, US presidential election)? Written communications ( and visual materials) Training or information sessions No evaluation or communciation is done Other* 14% 14% 22% 50% * Examples include Ensuring these geopolitical events are factored into the base and stress scenarios, Quarterly risk profile updates to the Board Risk Management Committee, Evaluation performed at Group level and provided to local CRO and Inclusion in Top risks and emerging risks presented to the executives and the Board. 22 APAC Insurance CRO survey Ι Empowering for transformation

23 Engaging in the digital transformation of the risk management function Commentary The challenge of developing the risk function s capabilities include stagnating budgets, scarce specialist resources and balancing people vs. IT. Fig. 21: Compared with a year ago, has the size of your risk department: Increased 50% Stayed the same 45% Decreased 5% Fig. 22: Compared with a year ago, would you say that hiring and retaining good talent is: Harder 27% Easier 0% About the same 73% Fig. 23: Do you expect dedicated business-as-usual risk function budgets to materially increase, decrease or stay at similar levels going forward? Materially decrease 5% Stay similar 86% Materially increase 9% APAC Insurance CRO survey Ι Empowering for transformation 23

24 Fig. 24: The plans for the budget of the risk team are: To increase 23% To decrease 0% To stay the same 77% Fig. 25: Is the proportion of your budget allocated towards FTE vs. technology, going to: Increase 27% Decrease 14% Stay the same 59% Key findings The actual results regarding the size of the risk department are mostly in line with what was expected based on last year s survey no surprises at least on that side. Perhaps, this is due to the fact that hiring and retaining good talent has not improved in one year, and that dedicated budgets have not changed dramatically year-on-year in one direction or another. In terms of where these budgets would go in priority, people still have the lead over technology. In terms of specialist skills, surveyed CROs are especially looking for expertise in cyber and IT security, data analytics and big data, machine learning, anti-money laundering and AI. These talents are very scarce for now and risk functions need to think of ways to overcome this challenging shortage. Going forward, the vast majority of respondents do not expect the dedicated business-as-usual risk budgets to change. Critical thinking and complex problem-solving skills will be key as new areas (e.g., AI, insurtech) come to the fore. Specific competencies in cybersecurity, financial technology, negotiation, EQ and collaborating with others will help to facilitate risk advisory, analysis and mitigation actions. As the risk function grows in maturity and needs more specialist skills, it is required to improve its cost effectiveness and demonstrate its value so as to be able to invest more going forward. But as it enters the digital age, the risk function needs to find the right balance between poaching (scarce) talent and investing in the new technologies, which will help build the momentum. 24 APAC Insurance CRO survey Ι Empowering for transformation

25 Commentary Outlook for the CRO role in 3 5 years. (1) More attention to IT and data security is required as more businesses are done digitally and more processes are automated. (2) More integration is required between risk, compliance and financial crime secondline activities. With strong risk culture, the CRO will have the comfort that all interests are aligned and the CRO will be in a better position to further optimize risk taking. The issue that CROs will battle with could be different and unexpected. In Asia, there is the prospect of more focus on market-consistent solvency frameworks, as regulators mature. Equally maturing regulations could mean that customer outcomes and fairness have become a key consideration for CROs, especially those responsible for compliance functions. The role of the CRO in 3-5 years time may tilt more towards (a) Strategic risk advisory vs. risk oversight, (b) Preemptive actions vs. ex-post and knowing all the factors (c) Resiliency vs. incident management, and (d) Coach to first line vs. just being at second line of defense. Continued increase in business and strategic planning. More efficient and real-time risk metrics and reporting. The industry is under increased regulatory and government scrutiny, so the role of CRO now has a heightened sensitivity and importance at the executive table than ever before. I see the role of CRO as developing beyond being a reactive role to regulatory pressures, to be a very proactive and nimble proactive and evolving role. As more complex risk management will be performed within the line 1 functions, the level of monitoring, challenge and reporting of the risk function will increase. APAC Insurance CRO survey Ι Empowering for transformation 25

26 Commentary Engaging in the digital transformation of the risk function. Key findings In last year s survey, under the headline In the battle between investment in people and in technology, it is people that win every time, we noted that CROs recognize the need to continuously improve their existing IT capability; however, we see CROs being hesitant to increase their investment in new technologies. Even though some of the previous results tend to show the same facts, it needs to be pointed out that almost a third of respondents have plans to look into offshoring, robotics or other forms of efficiency gains to help manage costs in the Risk teams. More precisely, robotics, AI, machine learning and data analytics are increasingly mentioned as being explored for risk and compliance activities (e.g., AML screenings). Example of leading practice from a respondent: We use big data and analytics tools to support our net promoter score (NPS) surveys to help strengthen our insights into complaints and customer dissatisfaction. We are currently looking at other analytical tools that can be used for quality assurance (QA) and due diligence purposes, which we may implement once evaluated. We are in the early stages of assessing AI and other analytics to various elements of risk management. Risk functions encounter several technology constraints that restrict them practically from their desired level of monitoring and reporting of risk, mostly data quality (integrity, availability and completeness) and complexity of multiple systems (legacy, fragmented, siloed, incompatible, disparate and inconsistent). A broader enablement of the risk function is necessary, so that it can gain in efficiency when providing more insightful management information (MI) for the consideration of the board and senior management. This is why some risk functions have embarked onto a journey toward their digital transformation through the development and use of tools, such as GRC, visualization, robotics, big data, analytics, AI and machine learning. Digital transformation continues to be focused on the customer interface. Increasingly, firms are building or planning to build technology solutions that fundamentally change the way insurers operate, so they can deliver the digital promise to customers speedily and cost-effectively. Beyond the interactions with customers, risk functions will increasingly have to consider how to change their approach to manage the shift in the firm s risk profile resulting from digital transformation, and being agile enough to enable innovation. Over time, risk functions will have to leverage technology to improve risk management, and become technology innovators rather than spectators. Even if the main focus of insurance CROs is on talent, it is important that someone is tasked with establishing the risktech strategy: What gaps need addressing? What options exist to enable risk? What are the pros and cons? How are you scanning the rapidly changing market? 26 APAC Insurance CRO survey Ι Empowering for transformation

27 Key contacts Jonathan Zhao Asia-Pacific Insurance Leader Sumit Narayanan ASEAN Insurance Leader Grant Peters Oceania Insurance Leader grant.peters@au.ey.com Bonny Fu China (mainland) bonny.fu@cn.ey.com Hiroshi Yamano Japan hiroshi.yamano@jp.ey.com David Scott Singapore david.scott@sg.ey.com Phil Rodd Hong Kong phil.rodd@hk.ey.com Yong Joo Han South Korea yong-joo.han@kr.ey.com Patrick Menard Singapore patrick.menard@sg.ey.com Tze Ping Chng Hong Kong tze-ping.chng@hk.ey.com Brandon Bruce Malaysia brandon.bruce@my.ey.com Nonglak Pumnoi Thailand nonglak.pumnoi@th.ey.com Kent Wong Australia kent.wong@au.ey.com Thomas Kagermeier EMEIA Insurance FRAC Leader thomas.kagermeier@de.ey.com James Brigham Australia james.brigham@au.ey.com Rick Marx US rick.marx@ey.com Pierre Santolini Singapore pierre.santolini@sg.ey.com APAC Insurance CRO survey Ι Empowering for transformation 27

28 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com EYGM Limited. All Rights Reserved. EYG no Gbl BMC Agency GA ED None In line with EY s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice. ey.com